Currently, it is common for malicious software such as computer viruses, worms, spyware, etc., to affect a computer such that it will not behave as expected. Malicious software can delete files, slow computer performance, clog e-mail accounts, steal confidential information, cause computer crashes, allow unauthorized access and generally perform other actions that are undesirable or not expected by the user of the computer.
Current technology allows computer users to create backups of their computer systems and of their files and to restore their computer systems and files in the event of a catastrophic failure such as a loss of power, a hard drive crash or a system operation failure. Assuming that the user had performed a backup prior to the failure, it can be straightforward to restore their computer system and files to a state prior to the computer failure. Unfortunately, these prior art techniques are not effective when dealing with infection of a computer by malicious software. It is important to be able to detect such malware when it first becomes present in a computer system, or better yet, before it can be transferred to a user's computer.
Prior art techniques able to detect known malware use a predefined pattern database that compares a known pattern with suspected malware. This technique, though, is unable to handle new, unknown malware. Other prior art techniques use predefined rules or heuristics to detect unknown malware. These rules take into account some characteristics of the malware, but these rules need to be written down manually and are hard to maintain. Further, it can be very time-consuming and difficult to attempt to record all of the rules necessary to detect many different kinds of malware. Because the number of rules is often limited, this technique cannot achieve both a high detection rate and a low false-positive rate.
Given the above deficiencies in the prior art in being able to detect unknown malware efficiently, a suitable solution is desired.